ReportizFlow
Filtered by vendor
Subscriptions
Total
800 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2526 | 2025-04-08 | 8.8 High | ||
| The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ||||
| CVE-2024-50685 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | 9.1 Critical |
| SunGrow iSolarCloud before the October 31, 2024 remediation, is vulnerable to insecure direct object references (IDOR) via the powerStationService API model. | ||||
| CVE-2024-50686 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | 9.1 Critical |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the commonService API model. | ||||
| CVE-2024-50687 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | 9.1 Critical |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model. | ||||
| CVE-2024-50689 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | 9.1 Critical |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model. | ||||
| CVE-2024-50693 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | 9.1 Critical |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the userService API model. | ||||
| CVE-2024-0872 | 1 Kibokolabs | 1 Watu Quiz | 2025-04-07 | 4.3 Medium |
| The Watu Quiz plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.1 via the watu-userinfo shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive user meta data which can include session tokens and user emails. | ||||
| CVE-2022-40319 | 1 Lsoft | 1 Listserv | 2025-04-04 | 7.5 High |
| The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account. | ||||
| CVE-2022-45927 | 1 Opentext | 1 Opentext Extended Ecm | 2025-04-04 | 8.8 High |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Java application server can be used to bypass the authentication of the QDS endpoints of the Content Server. These endpoints can be used to create objects and execute arbitrary code. | ||||
| CVE-2024-51066 | 1 Phpgurukul | 1 Beauty Parlour Management System | 2025-04-04 | 7.5 High |
| An Insecure Direct Object Reference (IDOR) vulnerability in appointment-detail.php in Phpgurukul's Beauty Parlour Management System v1.1 allows unauthorized access to the Personally Identifiable Information (PII) of other customers. | ||||
| CVE-2024-53406 | 1 Espressif | 1 Esp-idf | 2025-04-03 | 8.8 High |
| Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks. | ||||
| CVE-2024-55506 | 1 Codeastro | 1 Complaint Management System | 2025-04-03 | 8.8 High |
| An IDOR vulnerability in CodeAstro's Complaint Management System v1.0 (version with 0 updates) enables an attacker to execute arbitrary code and obtain sensitive information via the delete.php file and modifying the id parameter. | ||||
| CVE-2023-4836 | 1 Userprivatefiles | 1 Wordpress File Sharing Plugin | 2025-04-03 | 4.3 Medium |
| The WordPress File Sharing Plugin WordPress plugin before 2.0.5 does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced | ||||
| CVE-2004-0412 | 1 Gnu | 1 Mailman | 2025-04-03 | 6.5 Medium |
| Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server. | ||||
| CVE-2025-31867 | 2025-04-01 | 5.4 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Job Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JS Job Manager: from n/a through 2.0.2. | ||||
| CVE-2025-31833 | 2025-04-01 | 4.9 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBoard Job listing: from n/a through 1.2.7. | ||||
| CVE-2024-28320 | 2 Hospital Management System Project, Mayurik | 2 Hospital Management System, Hospital Management System | 2025-04-01 | 7.6 High |
| Insecure Direct Object References (IDOR) vulnerability in Hospital Management System 1.0 allows attackers to manipulate user parameters for unauthorized access and modifications via crafted POST request to /patient/edit-user.php. | ||||
| CVE-2021-36874 | 1 Stylemixthemes | 1 Ulisting | 2025-03-28 | 7.1 High |
| Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions <= 2.0.5). | ||||
| CVE-2025-1667 | 1 Igexsolutions | 1 Wpschoolpress | 2025-03-28 | 8.8 High |
| The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators. | ||||
| CVE-2024-4886 | 1 Buddyboss | 1 Buddyboss Platform | 2025-03-28 | 4.3 Medium |
| The contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request | ||||